Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] The latest EU plan to outlaw encryption and introduce communication surveillance (mailbox.org)
364 points by New_California 4 days ago | hide | past | favorite | 250 comments





Recent and related:

EU interior ministers welcome mandatory chat control for all smartphones - https://news.ycombinator.com/item?id=29200506 - Nov 2021 (59 comments)

EU Chatcontrol 2.0 [video] - https://news.ycombinator.com/item?id=29066894 - Nov 2021 (197 comments)

Previously:

Messaging and chat control - https://news.ycombinator.com/item?id=28115343 - Aug 2021 (317 comments)

EU Parliament approves mass surveillance of private communications - https://news.ycombinator.com/item?id=27759814 - July 2021 (11 comments)

European Parliament approves mass surveillance of private communication - https://news.ycombinator.com/item?id=27753727 - July 2021 (415 comments)

Indiscriminate messaging and chatcontrol: Last chance to protest - https://news.ycombinator.com/item?id=27736435 - July 2021 (104 comments)

IT companies warn in open letter: EU wants to ban encryption - https://news.ycombinator.com/item?id=26825653 - April 2021 (217 comments)

Others?


This won't work for the same reason it didn't work last time (see: Clipper chip): you can't outlaw math. Phil Zimmermann showed this exhaustively, why the EU wants to ram their head into the same stone I do not know but the end result is quite predictable.

Besides that, all they will end up with is more information on how to make chocolate cookies and who is sleeping with who, it won't tell them where the next terror attack is going to take place or who will do it.


> ... it won't tell them where the next terror attack is going to take place or who will do it.

No, but I'm convinced this isn't the goal. The goal is to monitor the unrest of the people.


Monitor unrest, sure, probably a fair bit.

The rest of it is likely the "ability to just pull up data on anyone at any time just cause".

The old school, "we know where you live, what you said to your husband, and that you had marmalade jam with your toast this morning" spy insider knowledge gambit is a strong manipulation tactic whenever you need to convince someone to "just comply".

Having inside knowledge of mundane things that are assumed to be private hold a lot more sway than you'd think. It can make threatening ordinary people a lot easier. Do governments do this often? Probably not, but when they want to interrogate someone, I can almost guarantee they like to be able to pull up everything private they can as leverage in an interrogation.

Is this useful for national security? Probably not, but since when do governments actually care about national security when they can roll around on a power trip and feel big and godly?


The notion that privacy isn't a big deal, simply because you're unlikely to be the target of some massive covert campaign, is pretty ridiculous. That's how rights end. Give an inch, lose a mile. And lose the mile when it matters most.

And who knows, maybe you would become a political figure or something of that caliber down the road. You just never know. Don't assume you don't need as much privacy as possible.

By you, I'm speaking in general.


That's just another form of the 'I've got nothing to hide' argument. Typically made by people that haven't really thought the matter through.

I would hazard a guess that almost every citizen has committed a crime of some sort at some point, no matter how minor or inadvertent. There are simply too many laws to avoid it.

Killing a wasp in germany can cost between 5.000-65.000€^^.

Source (german):

https://www.bussgeldkatalog.org/news/wespe-toeten-droht-ein-...


I'd be highly surprised if it was just one. I would imagine its tens if not 100's over the course of a lifetime.

You can just open the newspaper for that, no need to eavesdrop on everybody's interaction. This doesn't make any sense.

When you look at the recent history, it becomes evident that all big powers were enjoying a through view of the societies they were governing, and modern communication changed this.

They don't want new powers, they want their old powers back. When I understood that, I enlightened.


There has never been a time, except for short periods, where the ruling class has had full access to what everyone has been saying or thinking. There has always been constraints on how much they can know about the populace. Distance, cost, manpower have all been age old constraints. A new technology usually makes it easy to monitor but then something else comes in the way to block it. I think Stasi are probably the only real-successful blanket monitoring.

Even the Stasi didn't manage to get everything, but they made a very impressive effort and a Stasi like entity with today's technology may well achieve the panopticon that they were shooting for able to suppress dissent before it hatched into something actionable. Their main tool? Snitches.

The tools we have made are quite dangerous for this and that's one more reason why we as the techies responsible for the creation of such tools should ensure that this can never ever happen. It's also one the reasons why Phil Zimmermann is one of my personal heroes.

https://en.wikipedia.org/wiki/Phil_Zimmermann


What are you talking about? Do you really think that the king of England had a better view into his subjects inner thoughts in the 18th century than literally anyone can currently do by pulling up anyone’s social media presence? You don’t need to read private text messages to know what people are up to. They tweet, post on Reddit, Instagram, and TikTok about it all the time.

I think by 'recent history' they mean more like 1970-2010 or so.

I'm not sure I agree but at least that isn't outright ridiculous like the 18'th century would be.


I was talking about [1960, ...}, but older "kingdoms" also had a passing knowledge about their population's state.

This knowledge was much leaner when compared to today, but there were less population to begin with, so that knowledge was enough.

Crowded countries like China had its social norms evolved accordingly and differently due to this population density.


How many people tweeted about storming Area 51 in the 1950s? Or put up long political monologues on Tik Tok? I think your argument is 180 degrees backwards from how things actually are.

Just because people didn't have Twitter or TikTok in 50s and 60s doesn't mean that people didn't think about these things. It was only disseminated to a tighter group, so they're closer, less prominent and smaller.

Increase in the speed of communication and in overall population allowed greater dissemination in shorter time, that's it. Before, more manual methods worked well enough to get a sniff of these activities, but it doesn't work now. So, governments want their cake back.

CIA did mass surveillance on state level with Crypto AG. Russians bugged whole fleet of diplomatic IBM typewriters. Intelligence agencies listened people via central heating pipes, insiders were planted inside suspected groups... The ways were numerous, and still are. The people, society and technology is evolving. So the game.

I don't support the initiative, but that's the state of the play right now.

This might be backwards when looked from there, but this is how it looks from here.


Right. So in the past it took massive amounts of money and manpower to watch relatively small groups of people. Now those same groups organize on easily accessible and sometimes straight up public websites so it takes less money and manpower to monitor virtually everyone. What power is the government trying to get back? Seems like achieving their goal got easier, not harder.

> Seems like achieving their goal got easier, not harder.

Nope. E2E communications have buried a lot of stuff proverbially underground. The leaks are reduced. Hence, governments lost the ability to monitor as they liked. There's much more and invisible communication going on when compared to the past, and it's much more detailed and direct. Also its volume has increased exponentially.

So monitoring that stuff got way harder, and they want the easy way back.


So read the actual contents of this story: https://gizmodo.com/everything-you-may-have-missed-about-the...

Notice the part about where the conspiring here took place and how those conversations were discovered and revealed. Sure two people can communicate over E2E but if you want to start a movement (something that actually would matter rather than just complaining to your bestie), you need to open it up to the public which turns out also opens up the door to people spying on you.


The bulk of the manpower for the Stasi was the good little people of East Germany ratting on each other.

> They don't want new powers, they want their old powers back

Maybe you're too young to remember a time when no one carried a GPS in their pocket, most payments were done in cash and only banks had CCTV cameras. I'd love to see states and companies take back the "powers" they had back then :)


No, I'm not that young, but I've read enough history knowing that countries had a passing knowledge about the state of the population under their control. You don't need Stasi or NSA level of access to know the state of your citizens.

Intelligence is an old craft. Insiders are old as well. However, speed of life and increase in population coupled with new communication methods invalidate these old methods.

To protect their status quo, governments want their so-called vision back, and then some...


True, but your phone calls, letters and packages were very easy to silently tap and interdict and were all controlled by central monopolies. Nobody encrypted anything, so raids on offices gave a lot juicy information in plain paper.

> They don't want new powers, they want their old powers back

I don't agree. They want both. They want more!


Yes, this makes good sense.

You think the newspaper reports people's concerns, or the newspaper dictates people's concerns?

I think newspapers mostly report the news. They also have things called opinion pages but those tend to be clearly marked as such and then there is this thing called advertising.

Yes.

That gives a view into what happened yesterday. Being able to eavesdrop on comms can tell you what will happen tomorrow.

Sure, 'bring me some potatoes tomorrow'.

What will happen tomorrow?

But terrorist suspect 'A' communicating with arms supplier 'B' is far more significant than terrorist suspect 'A' communicating with arms supplier 'B' asking 'B' to bring some potatoes tomorrow.

The value can definitely be in the payload, when both parties believe they are using a secure channel, see 'Encrochat' and a couple of others like it. But most of the time the things you should really worry about are going to look like 'bring me some potatoes'.

Boots on the ground, enough people to follow up on the leads available today would help a lot, and a budget to go with it to make that sustainable. Not more tech toys.

Anyway, I've written enough about this subject by now.


There have been plenty of boots on the ground in a couple of places in the last two decades and both are massive failures. In the meantime people of the western world share everything for free with everyone.

I think you misunderstand the meaning of 'boots on the ground' in the context of intelligence work.

Ah, you mean like Stasi or Polish UB, or OMON. Your original answer seems to be missing a clarification on what boots you mean. Yeah, that might work in conjunction with a full on oppression system.

Were there no “intelligence boots on the ground” in the places I have mentioned?


This whole affair is about sigint, electronic signals monitoring in the hope that something worth of more intelligent processing pops out. This works, but the amount of funds required versus the amount of output given all of the sigint operations at work today is enormous before you start moving the needle.

It's the human intelligence gathering where these groups are deficient, but that doesn't scale, so just like the start-up investors the governments believe that they will be able to do this on the cheap by widening the net. But that won't work, it just means they'll catch a ton more krill, and very few extra fish.


Of course but they probably want to know about it before it happens ;) Dark forces stirring up riots are indeed a thing, the same way QAnon is.

I absolutely don't agree it's worth sacrificing our privacy though.


I agree but for a different reason. It's simply not effective. Unrest can never be ameliorated by squashing it because censorship will always be routed around. Any attempt at pushing it down will result in it popping up somewhere else, sometimes in a different form. The only remedy is improving the material conditions for the majority of people.

In every revolution we've seen, the elites are unable to comprehend or unwilling to compromise, and in every case, the longer it drags on, the more dispossessed they eventually become. US state population trends starting in the 1840s are currently generating increasing unrest as a function of the structure of the US senate resulting in a rule by minority. As the chamber becomes increasingly unrepresentative, the ability to reform it becomes increasingly less probably due to the structure of constitutional reform.

In a more perfect world, US population geographics would be modulated by representative power. That however, is not the case. State and local governments increasingly sort voters by self-selection bias. Further entrenchment and unwillingness to compromise will be gasoline for the current tinder.


This is one of the engines behind 'history repeats itself'.

If you happen to have, or know of a list of the others, I'd be very interested in reading it.

Unrest isn’t always spontaneous and usually has a nascent stage and an accretion stage and finally critical mass. They probably would like to be on the inside before critical mass is reached.

Then you better hope that you have an ear to the ground.

The reason why plots get uncovered is usually because someone is stupid, not because of some exceedingly clever bit of code breaking. And let's be thankful for the fact that terrorism wouldn't work if all they were aiming for is mass death of their foes because for all of the fear that terrorists manage to sow they are cumulatively less effective over the course of 40 years than three days worth of COVID deaths,


You can't easily figure out which specific individuals are the ones "accelerating" the discontent.

Traffic analysis is a thing.

Bitches in twitches of fear,

pitchforks coming near.

Need to hold on to power,

hide secret contracts and manipulation,

threaten incarceration,

to anyone daring to question,

their legitimation.

Control is their only salvation.


you don't need to "outlaw math", you only need to increase the friction to the point where commercial providers can't provide encrypted services and 99.x% of people will comply. Not sure why people always bring this up like some gotcha.

The whole chain of e-commerce rests on the foundations of strong encryption, backdooring that would open the door to digital crime at a level that is off the scale compared to where it is today. The illusion that a government mandated backdoor will remain accessible just to the government is not going to last much longer than the first experiment in this direction.

We've already seen plenty of examples of that irl.


> The illusion that a government mandated backdoor will remain accessible just to the government is not going to last much longer than the first experiment in this direction.

I'm sympathetic to that argument, but it seems to be employed very selectively by the tech industry.

We already rely on many backdoors of exactly that kind in form of mandatory auto updates. Not only is this seen as perfectly fine, it's widely regarded as a security best practice.

Why can Apple or Google or Microsoft manage to keep their signature keys secure for decades while any keys managed by a government agency would leak with mathematical certainty?


Auto updates are a big security risk themselves, it is a matter of time before someone manages to hijack a major distribution point like that (Windows, Chrome, Firefox?). Once that happens we will probably review this.

Also: who is to say that Apple, Google or Microsoft manage to keep their keys secret? Not all thieves would be stupid enough to tell, and nationstates tend to hold such advantages on ice until they have a good enough reason to use them.


> Auto updates are a big security risk themselves, it is a matter of time before someone manages to hijack a major distribution point like that (Windows, Chrome, Firefox?). Once that happens we will probably review this.

And as some lower-hanging fruit: The repos of common programming languages and things like Docker Hub.

Python PIP, NodeJS NPM, Ruby Gems, we pull in a lot of stuff from people we don't even know. Every python project installs a gazillion of stuff from its requirements.txt. At least the OS updates come from a party we at least chose to do business with.

And it's not like this is not yet happening already. But I think it'll take a major Wannacry event before we'll stop doing this because it's just so damn handy.

But if you think of it, imagine you're coding and some random 'willywonka2586' on a public slack group says "Hey I wrote a handy library for that, here, go and install it and use it in a project for your customers!". This is kinda what we're doing.


This actually happened at a company I worked for. One of the Python dependencies of some service or another had a bit of code that phoned home. It was hard to detect, because it actually did the thing it advertised it was supposed to do, just that it added the phone home part. It was only detected because the way routing works inside AWS didn't allow it to phone home, and that generated a lot of network timeouts. IIRC, it took more than 90 days before the malicious library was found out and removed.

>It was hard to detect, because it actually did the thing it advertised it was supposed to do, just that it added the phone home part.

Was it a Microsoft dependency?


NPM should be top of the suspects list there.

Ok but then where is the large-scale movement against auto updates? Stealing an update key would grant an attacker strictly more capabilities than stealing a chat backdoor key: They could still eavesdrop on all chats by patching the apps on-device, but they could also do anything else the device's OS allows them to. Nevertheless I have never read anything about the imminent risk of update compromise.

Such an attack would be soon discovered and soon mitigated. Mandating that the backdoor be present would mean you have to wait for the government to mitigate the problem 6 months later and hope that it didn't soon fall again.

At worst the entire industry in that region is broken more often than they are functional. It's also notable that companies existing in this state of brokenness would be competing with companies living in a functional world. One might find that the defective universe continues long enough its inhabitants are extinct.


As I understand it, hijacking the update backdoor already occurred with the solar winds hack.

We already had that with Solarwinds just last year

> Not only is this seen as perfectly fine, it's widely regarded as a security best practice.

It's not "perfectly fine"; but the alternative is millions of computers with known security vulnerabilities exploitable by anyone, which is far far worse than a potential backdoor used by large companies or governments.


You could make that same argument in favour of the e2e backdoor: "The risk of child groomers, terrorists etc running rampant is far greater than the risk of a few chats getting leaked."

At the very least, this would need some quantification of risk: Probability and impact of keys getting leaked vs probability and impact of not installing a backdoor.


> At the very least, this would need some quantification of risk

Yes, of course.

And in the case of autoupdates:

1. the risk of finding a RCE in any random PC within the next few years is close to 100%

2. an unpatched RCE is strictly worse than a backdoor

3. how many computers won't be patched without forced autoupdates?

In the case of e2ee, I'm afraid it's much harder to quantify, though.


> The illusion that a government mandated backdoor will remain accessible just to the government is not going to last much longer than the first experiment in this direction. We've already seen plenty of examples of that irl.

Unfortunately, our beloved decisionmakers are gerontocratic, completely incompetent and bought out by corporate interests that also don't want encryption (e.g. copyright industry).


Copyright industry totally does want encryption, it’s kinda foundational for any DRM stronger than a pinky swear.

The ones who really want strong encryption: the lawmakers themselves, because their communications are of course exempt.

Alcohol prohibition, and then drug prohibition later, opened the doors to crime at an off-scale level compared to before. (Granted that it wasn't the same kind of door-opening.)

That X makes things worse for people in general just isn't strong evidence that governments will not do X. If you don't want X then you need to explicitly push back.


I am pretty sure that escrow encryption can be designed to give backdoor access quite precisely to certain quora of keyholders.

It's kind of like thinking "you can't outlaw physics" is a genius retort to speed limits.

Except of course that this is entirely unlike speed limits.

In a nutshell, and in case it didn't register with you when it should have: attempts to curb cryptography have been made in the past. The phrase 'you can't outlaw math' is a simple observation: strong cryptography will be available to everybody that wants it regardless of its legal status. So a government that would love to read your mail would do better to realize that they will only be able to read the uninteresting mail and for the rest of it they'll be staring at white noise. Meanwhile the baddies, alerted to the fact that the government is able to read your mail will either resort to other methods of communications or will use channels that they assume to be overt to signal covertly using other methods. There are plenty of examples for this.

So, in conclusion, no matter how much you want to outlaw strong cryptography, those that want it will have it, better plan accordingly or all you will do is waste more time reading data that you will find stupendously boring.


This is not about hardcore cypherpunks or terrorist that want encryption at any cost. This is about joe random using WhatsApp. And now he has some xanax and pete over there says he deals. Joe probably won't have strong encryption if it is properly outlawed, even if he is a low level dealer.

Because the thing is, making encryption software is hard. I doubt there will be convenient and easy to install software out there if you ban this stuff. And the majority of people won't use it if it isn't convenient and easy to install.


> So a government that would love to read your mail would do better to realize that they will only be able to read the uninteresting mail and for the rest of it they'll be staring at white noise

This is the crux of your argument, but it's false. E2EE has been available for decades but it wasn't used widely, by everyone including criminals, until it was pushed as the default.


Strong encryption has been available for decades as well, but it wasn't used widely until HTTPS and encrypted email. What is your point? That availability doesn't equate use? That's obvious. But now that it is widely used nothing has really changed, we're back where we started: traffic analysis and humint, which is not a bad basis for an investigation or an infiltration op.

It's not as if all of the old volume of mail was steamed open and read or everybody's TV equipped with monitoring equipment. Even libraries did not track who read what (though they did track who borrowed what).


Then the data you can't read becomes reason enough to pursue as criminal regardless of its content no?

Absolutely. I'm going to have to confess to having a fetish for white noise, I have many 100's of terabytes of it, can't get enough of the stuff.

'This communication is not readable. It looks encrypted.'

'Oh that, that's just white noise.'

'You are under arrest for illegal encription with the intent to <insert horrible criminal activity here>.'


I'm definitely at risk for that.

By that logic, anyone with a locked door and curtains closed is a criminal

If we outlawed locks then by definition they are criminal no? Isn't that the context here?

It's more like, "If you outlaw guns, the only people with guns will be outlaws."

And regarding internet privacy and secure communications, that's exactly what they want: for privacy to be associated (in the mind of the average citizen) with organized crime, terrorism and pedophilia.


yet 99% of people break that speed limit regularly. We all know speed limit laws are less about public safety, and more about generating revenue for the state, at least in the US anyway.

and 99.x% of people aren't engaging in sharing child porn anyway, it's the 0.1% of motivated criminals that will share encrypted files anyway, no matter what the law is. They will find ways around the law, they always do.

This is a thinly veiled excuse to take basic human rights away from people.


I'm curious where you get your information about speeding, because it kind of seems made up.

Speeding is tied to one third of traffic fatalities the last 20 years (https://www.nhtsa.gov/risky-driving/speeding), so of course speed limits are put in place in an attempt to increase safety on the road. There are plenty of arguments to be made about the best way to enforce speed limits, or ways to discourage aggressive driving (such as speeding), but there is little doubt that speeding is dangerous.


"Speed related" is another one of those examples where the government lies with statistics to sell some safety FUD while failing to address the root cause of the problem.

Countries such as Germany have much lower traffic fatalities than the USA but they can operate vehicles at much higher speeds. Speed isn't the problem... uneducated drivers, poor vehicle maintenance, poor road quality, etc are the problem. But all those things would upset the masses who think they are entitled to operate a vehicle for 50 years after 2 months of training and a 15 minute test, so (in the USA) we get the lowest common denominator and roadways that are engineered to handle vehicles at 80+MPH are stuck with 55MPH speed limits.


>Speed isn't the problem... uneducated drivers, poor vehicle maintenance, poor road quality, etc are the problem.

Speed isn't the problem, neither are any of the others you mentioned. They all add to the problem of traffic fatalities though.

They did a study in Germany and were able to halve traffic fatalities by adding a speed limit of 130kph on one Autobahn section, measured over 3 years.[1]

Sure you can improve road conditions and driver education, but a multi-pronged approach including speed limits is sensible.

[1] https://www.spiegel.de/auto/aktuell/tempolimit-mit-130-km-h-...


> We all know speed limit laws are less about public safety, and more about generating revenue for the state, at least in the US anyway.

That's absolutely not true. Sure, some stretches are just to generate revenue, but that you're not allowed to go 200km/h through a city is not for revenue generation. It's also not given by common sense - the fact that you need to set the limit 20 lower than what's save should be plenty of evidence.


I don't see how the rest of his point doesn't stand, though. How are they going to implement this? How are they going to "increase friction"?

This is an impossible task. There is no way they will be able to enforce this. It would literally require them to stick their dirty fingers into every piece of software built in the EU.

They can attack large corporations like ISPs and such and force them to do certain things, sure, but there is no way they can "ban" any kind of encryption with any real success, because, as the OC said, it's basically trying to outlaw mathematics. Forcing ISPs to perform deep packet inspection or whatever won't change the axioms of mathematics or fundamentally alter computer science so that they can suddenly break encrypted data coming from their clients.


It depends on whether the actual goal is to catch criminals or to monitor the average Joe. This law won't do anything against criminals ("you can't outlaw math"), but will work very effectively against the average Joe (all major software companies will be forced to comply).

Of course, the argument is that this is to combat criminals and we all know that it doesn't work that way, but it doesn't matter at the end of the day if the true goal is to just monitor people.


Exactly. It's security theater.

> 99.x% of people will comply

You are not interested in just "people". You are interested in very specific subgroup of those (1-x)% that already operate outside the law.


you think governments aren't interested in analyzing the private communication of the population? There's a long list of intelligence programs listed on Wikipedia that suggest otherwise. Governments are obviously interested in both with interests going way beyond crime.

And another fact is that these bans can even give you access to the people outside of the law. Practical example, Australia's sting operation of pushing their own 'secure' app on the blackmarket to lure criminals in. (https://www.washingtonpost.com/world/2021/06/08/fbi-app-arre...)


agreed, would not even be surprised if this is being pushed by the larger established email / communication companies as a way to crush smaller competition. In much the same way Facebook is pushing for regulations that only Facebook can afford to implement.

You can absolutely outlaw math. Australia did it in their anti encryption bills that passed.

Now that math, logic and reason are outlawed, soon I expect ethics and metaphysics to also be outlawed. Of course these fundamental ideas still exist, but if you use them they’ll throw the book at you!

A nonsensical book full of gobbledegook.


I wish Australia much good luck with this approach, I am going to take a stab at the eventual outcome: history will have a chuckle at them.

The goal is not to fight terrorism, CSAM or drug dealing. Not with the encryption laws, not with the data retention (= recording which customer used which IP address/CG-NAT port at what time) laws.

It's about control of dissent, about data mining, about preventing unrest. We have seen tiny glimpses of what can happen with France's Yellow Vests... and there is massive potential for unrest: socio-economic differences (wealth disparities), prices of must-have goods (energy, food, housing), corruption in all its forms, political ineptitude and incompetence, discrimination issues, climate protection measures (Yellow Vests) or the lack thereof (Extinction Rebellion), and sadly also measures to fight the coronavirus pandemic (e.g. the current riots in the Netherlands and Belgium, the near-storming of the German parliament).


No amount of decryption capabilities would have stopped that. The calls for those gatherings went out in cleartext and were amplified by the media once they got going.

They aren't trying to outlaw math. They are trying to make it unpractical. If the app stores don't allow E2EE apps, grandma isn't installing her own toolchain to compile her own copy. Then they can also outlaw public github repos that contain the "open source". This is scary stuff. We know the watchers can't be trusted.

Outlaw as in make it painful for those who use it. Cannabis has put many people in jail, its a plant that continued to exist. Same can be done with this. You’re not using government approved electronics, in jail you go.

Right. It's like saying you can't allow a plant. You can outlaw anything you want no matter how dumb it is. It doesn't mean people will comply. All it means is you created criminals.

Math nor encryption will be outlawed. They will demand that all communication platforms provide lawfull intercept facilities to the authorities. Parties that do not comply will be fined or forbidden.

Don't be fooled that it won't work. It works in China and they have math there too.


It will work just fine, they'll get a ton more traffic to analyze. But it won't work for the goal that they claim to have, it won't make a dent in crime (which China has plenty of, at all levels), and it won't stop terrorism (which China also has plenty of, and which of course others would label as freedom fighters).

The only thing China will succeed in is extending the gerontocracy for a little bit longer. But eventually the cost of strongly encrypted communications will drop to zero and then the information advantage that the government has is over.

Think 'Starlink' + a couple of rounds of tech improvement and the GFOC might as well not exist. The question is will the people care? In China, I'm not so sure. In the West, maybe they will, maybe they won't, but I for one will be happy to utterly ignore this if it ever makes it into law. Right now I don't bother encrypting my mail, but if this happens I might drop off the grid entirely, and I'll make it my mission to spread strong crypto as far and as wide as I can.

But for now it's just a misguided proposal by a clueless bunch of bureaucrats.


It is not the same. During the Clipper era email was distributed. In 2021 communication is centralized. EU leaning on Apple/Google/Microsoft/Facebook/Snapchat/Tiktok will make secure communication a pipe dream

You can't outlaw math, but you can make outlaws of people learning, using, or teaching math. You are saying the Clipper chip "didn't work", and that's true, but it wasn't "last time". Since then, many attempts were made and many did succeed, and we have Snowden and other whistleblowers to remind us of that fact. So you can downplay this current attempt all you want, but some people don't want their chocolate cookie recipes exposed to everyone just yet (maybe just in the Netherlands).

It will not only fail technically but most likely stuff like that won't get through/will get turned down by the ECJ

Oh, it'll work all right. Laws like this are a backstop that can be deployed specifically when technological measures fail. Remember "DRM can always be cracked"? That's what Section 1201 is for: five years in pound-me-in-the-ass prison for trying to crack DRM. These days, people accept DRM like Dilbert in the shock collar.

In this case, it's simply a matter of crafting the law in such a way that, say, possession or use of strong encryption without government backdoors automatically makes you a terrorist, the same way that possessing lockpicking tools automatically makes you a thief in Illinois. Then, once your communications become a little too random, the authorities can raid your computer and that of everyone you're connected with, arrest you and take you to a black site, and squeeze you for information (including rubber-hose cryptanalysis). And they're bound to find something juicy because most of the people going to the trouble of illegally using unbackdoored crypto are indeed terrorists, pedophiles, and other criminals. Using the "once X is outlawed, only outlaws will use X" effect to good effect.


People crack DRM all day, every day and they have ever since it was invented. It's never stopped. It's even a fairly well-known thing for people to buy games and then use the cracked versions without DRMs because they tend to be so invasive it can result in reduced performance.

I'm sure some people have been arrested and prosecuted but that's just symbolic scapegoat tactics and a pebble trying to stop the tide.

The laws you are describing are never going to be put into effect. It's just not going to happen. I don't believe the EU is full of people stupid enough to let it happen.. and even if it did, all the member states don't just automatically adopt and enforce every law immediately without thought. There are plenty of reasonable member states that just wouldn't accept these insane laws, or have populations which wouldn't accept them.


> The laws you are describing are never going to be put into effect. It's just not going to happen. I don't believe the EU is full of people stupid enough to let it happen.. and even if it did, all the member states don't just automatically adopt and enforce every law immediately without thought. There are plenty of reasonable member states that just wouldn't accept these insane laws, or have populations which wouldn't accept them.

I think that’s wishful thinking, given the previous experience of Clipper chip and 40-bit encryption rules in the USA and the Investigatory Powers Act in the UK.

Even as a British national living in Berlin, when I submit an app to Apple I have to agree to let the US government know about any use of cryptography by the app (by my reading including HTTPS, which is hope is merely legal caution rather than actual obligation).


When you have locked bootloaders and non rooted devices you can totally outlaw math

It's nothing to do with locked bootloaders or root access, the determining factor is simply whether you can run arbitrary code or not (like you can on Android for example). Bootloader locking and root user permissions are arbitrary system level concepts which are not relevant to that distinction.

Because nobody ever cracked a bootloader or rooted a device?

It gets harder with every generation.

You would think that their approach is a bit backward.

Big difference between de jure and de facto. We already have de facto surveillance in the US and the 5 eyes jurisdictions. Some of the other EU countries are also in on it.

They just want to add a de jure veneer to it.

For de facto leadership follow the US example. For de jure leadership follow the Australian/Chinese model.


There is a big difference. The secret surveillance can't be used in a normal court of law. Especially here in Europe as we don't have secret courts.

But there is another big difference: Currently services they can't tap into will be forced to make arrangements for this to be possible. Not sure how they will do this with the more decentralised platforms like Matrix but they will probably find a way :(


But if we had secret courts, how would we know about them? They're secret.

Beyond the amusing tautology, I think the US offers a pretty good example of how you can end up with non-secret courts issuing secret judgements based on secret proceedings, and still say "rule of law" with a straight face.

I'm sure the power-hungry in other democracies want this too, because having secret secret courts is a liability.


They only made them semi-secret because of Snowden's revelations though :) They didn't have a choice.

But I think secret courts won't fly on a large scale. People have connections and they will pipe up eventually. Maybe not every time but it will happen.


> The secret surveillance can't be used in a normal court of law. Especially here in Europe as we don't have secret courts.

You don't have secret courts.. yet. Anyway, it doesn't actually matter if you have secret courts or not, for high profile targets. The US has them and the US also has extradition treaties. And if you do have legislation against spying on your own citizens, your allies don't, they can do it for you and then share intelligence.

This whole effort is to short-circuit all of that and streamline an existing process.


I doubt it's really the high-profile targets they're after though. It sounds more like they want to make this the bread & butter of policing. Having an AI looking over our shoulders to see if we're up to anything bad. Of course not just the content of our conversations, but GPS locations etc. Basically like Apple was proposing but here they are already targeting a much wider range than just CSAM.

Because if it was only the high-profile cases the intelligence services already have huge permissions in terms of hacking, infiltration etc.


I agree with you about the general direction but you're hinting at preventive policing which I don't believe it to be the case. I mean just look at the US and the amount of surveillance since 9/11.. I think the goal here is to monitor dissidents or to help post-factum in investigations.

Not really preventative.

It's just that if you start collecting conversational data from everyone, you need AI to go through it. It's simply not possible to do it manually.

And once you get AI involved, scope creep is guaranteed because of the huge advancements being made in that area.

There's no way we can stop AI from being built but we can still stop some of our data from going into it.


You can't use illegal surveillance in court, but you can show it to the judge who issues the search warrant ( or however you call it )

In exchange, the police staff, their corporate friends and their political masters can know what you are doing in the restroom when you take a roll of toilet paper with you, or when you negotiate a business agreement in a bar.


A judge cannot issue a search warrant based on illegal surveillance. I'm not sure where you got that idea.

What actually ends up happening is called "parallel construction" where the evidence collected illegally is passed on to another party who "legally" builds it up to be accepted by the court.


In the US a judge needs to provide much less to the public, "probable cause".

My tinfoil/ CSI tv experience/ common sense tells me you can show a fellow human being something naughty, like illegal sting results, in private if you exert good judgement before, during and after the meeting.

Edit: Where I live, search warrants aren't required by the police. Which is a good thing (for regular people) provided the inaccessibility and corruption of the judicial power.


The legal bar for probable cause in the US is higher than almost anywhere else in the world.

If you're saying that cops and judges collaborate to get search warrants based on evidence they both know was obtained illegally... sure? It probably does happen on occasion, but I doubt it happens nearly as much as you seem to think it does.


There is no bar for FISA courts which is essentially a rubber stamp court:

FISC meets in secret, and approves or denies requests for search warrants. Only the number of warrants applied for, issued and denied, is reported. In 1980 (the first full year after its inception), it approved 322 warrants.[27] This number has steadily grown to 2,224 warrants in 2006.[28] In the period 1979–2006, a total of 22,990 applications for warrants were made to the Court of which 22,985 were approved (sometimes with modifications; or with the splitting up, or combining, of warrants for legal purposes), and only 5 were definitively rejected.

https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla...

-

As for probable cause they just sidestep such niceties all the time using many many tricks including buying data from your carriers and credit card providers.

https://www.cato.org/policy-analysis/stingray-new-frontier-p...


FISA courts are 100% unconstitutional BS that needs to be abolished.

Yeah I also heard some rumours of a lot of 'anonymous tips' coming from such sources. It can't be proven of course, which is why it's pretty smart of them to do it that way, if they do so.

This is a plan, not a law. It will never become law, because over my dead body.

If it turns into law I'll stop going to work. If I do that the project I'm in will fail, followed by my team collapsing, followed by my whole office revolting, followed by my employer crashing, followed by several Swedish cities turning to the streets in anger, followed by the whole of Sweden disintegrating, followed by the whole of Europe proclaiming "our know-it-all moral compass is gone" followed by Europe wide collapse, then American collapse.

Don't you worry for once second, peps, I got this.

- Very powerful EU citizen


I take it the whole corona thing happened because you got the flu sometime at the end of 2019?

Thank you for your service

I guess with your position, you probably have a direct line to Ylva Johansson. Any chance you can ask her to change this?

Are you being serious? If you stop working Europe and America will collapse? What happens if you get hit by a bus?

sounds like satire to the type of post you see on HN sometimes. people think because they made facebook for dogs and sold out for $50 million that the world revolves around them

I don't follow this closely but from headlines I've seen it appears as Europe goes after encryption more than the US. They also go pursue what many people consider "good" internet regulations as well, like right to be forgotten, and whatever the hell those cookie warnings are about.

I can't help but to think they are two sides of the same coin. Meaning that consumer friendly internet regulations we can all more or less agree on (e.g. let me cancel subscription online), is very correlated to consumer hostile ones (e.g. banning encryption and restricting ISPs).

Am I thinking about this wrong?


There are some lawmakers that are a bit delusional in their thinking and they believe that 'if only they could read everybody's email, listen to every conversation and follow everybody's movements' that they could make a serious impact on crime and terrorism. They don't realize yet that Europe is part of the same universe as the rest of the planet and that we don't get to try legislate that Pi is 3 here in the same way that it didn't work in the US.

Cryptography, in particular strong cryptography has become essential for business, a good chunk of our economy now has a cryptographic element to it. You can't expect that to survive without giving the baddies the same level of access that the government is demanding, besides that, the amount of noise they will have to deal with far outweighs any possible advantage.

At best there will be some drop in crime because of people being more aware of the chance of being caught but in the past such differences did not seem to make much impact. People will do what they will do, irrespective of the chance of getting caught.

All of these things are operating as points between two different extremes, the 'good balance' usually lies somewhere in the middle between the protection of rights on the one end and the ability of the authorities to do the jobs we entrust them with. A lot of these technical ideas originate from the perspective that if it can be automated it will be cheap and if it is cheap then they'll be able to fund it. Whereas good intelligence is super expensive, it requires boots on the ground in greater numbers than is currently possible within the budget constraints that there are. Europe is in this sense much more stingy than say the USA and that alone is a big driver behind all these digital tricks.

Also: do note that this is a proposal.


If it becomes real it's also asking to be trolled. Enough clever traps and the entire thing becomes worthless to the state.

They do seem more willing to regulate indeed. Those regulations are to benefit different groups.

Who benefits the mosts from end-to-end encryption?

I feel journalists and in-hostile-nation citizens are a smokescreen for more monied interests.


Maybe the US doesn't need to break encryption after seemingly backdooring every major service in the world (PRISM, etc).

The EU's overbearing character has been visible for a long while. It is the primary reason I supported brexit. It is working towards turning the union into a single country, has bitten off more than it can chew, and is looking increasingly despotic and dystopian.


I am a continental European and I have lived in the UK for some time. I always lived under the impression that the goal of the EU was to increase integration. I think the majority of continental Europeans feel the same and support this idea to some degree. I always felt that this was only news to the British.

I also support brexit. I would prefer for the UK to be in the EU because it would make all of us stronger and closer, as I think we should be, but I have to accept that current UK culture is just not compatible with the European project.

Good luck to my British friends, who I know see me as "foreigner". I don't see you as foreigner.


> I think the majority of continental Europeans feel the same and support this idea to some degree.

I guess that must be true of the political elite in the major (remaining) EU countries, or it wouldn't be the policy, right?

But for, say, Hungary, where I have a lot of experience, I'm pretty sure basically nobody thinks "increasing integration" should be the goal. Well maybe some tiny minority who happen to work for the EU itself.

The integration everyone cared about already happened, except for the currency integration which will never happen. (IMO good that it won't.) Now you have one side that would like to use the EU as a cudgel for rule-of-law questions but only without interrupting the flow of money; and another, more powerful side that uses the EU as a dog-whistle for nationalists as long as it doesn't interrupt the flow of money.

I can't speak for "Europe" (neither can Brussels) but I know a lot of people in Germany who also think there has been quite enough integration already, thank you. Try ordering an espresso in Berlin without speaking English.

(I neither supported nor opposed Brexit as I'm just a dirty foreigner in the EU either way, but I have sympathy for those who did so on principle.)


> the political elite

I'm not sure what this means.

> in the major (remaining) EU countries, or it wouldn't be the policy, right?

It is not some policy, it is an international treaty signed by every current in the EU. This would be like saying that NATO is "a policy". By the way, the remaining countries are 27. 13 of those joined since the year 2000 and one left.

> except for the currency integration which will never happen

Yes it did. What a bizarre statement.

> Try ordering an espresso in Berlin without speaking English.

I live in Berlin. You can order anything in German anywhere. This is at best a gross exaggeration, at worse an outright lie. It was exactly this type of "fact" that was used to convince a lot of British people to commit brexit.


Why do you think we should not cooperate more towards the common goals of humanity?

We don't need any more banners on every website, thanks.

Bad websites using dark patterns to circumvent laws aren't a good criticism of law.

I'm so surprised that here in HN, I keep seeing comments complaining about "banners" disclosing the fact that every interaction with the website is monitored by probably every mega corp out there.

If you don't like the banners, tell the websites not to collect your data for profit, rather than complain about knowing that they do.


This isn't an EU thing, UK and Australia are already down this road. This is really security services not knowing what they are really asking from the legislators and legislators being too clueless as to what they are about to do would actually result in.

GCHQ has effectively no legal limit, UK may 'technically' be under ECHR rules but they don't have means of verifying that they actually comply.

So, runaway rather than staying and using your absolute veto to prevent federalisation, thus abandoning Churchill's vision of the EC project being the way to keep peace in Europe? Brexit for you is the nationwide version of De Pfeffle Johnson hiding in a fridge?? Now the UK gets to be twice as despotic and dystopian to show achieve what???

Doesn't make much sense.

The threat of federalisation being imposed on the UK was just another lie.

That aside, if UK voted to support federalisation, what would be your principal fear?

The Tories seem mostly to have gone about increasing wealth disparity (dodgy contacts, corruption in parliament, tax breaks for the rich, pay freezes [ie real terms pay cuts] for the poor). What's their next move?


> It is the primary reason I supported brexit.

That's an interesting take because I've always thought, as an outsider, that the British population seems strangely accepting of authoritarian governments.


Nassim Taleb has argued the same. Smaller organizations are more resilient and stronger, and bigger ones are more fragile. The idea of continental integration is a very dangerous one. One day, when we have a one world government, where will refugees flee to? Mars?

The EU's democratic deficit, and the fact that these regulations can be rolled out to most of the world's major economies without any proper debate or (likely) checks and balances, proves the dangers of political organizations that are bigger than "human sized". How do you even protest this? Any country is forced to listen to mass protests, but there's no such thing for the EU.


Yeah? Then why won't Boris Johnson allow the Scottish to vote for independence?

Surely, taking your argument as truth, Scotland is smaller than the UK and therefore stronger than the UK?


Because he would go down in the polls if he did that. That doesn't mean it's the "wrong thing to do".

And yes, Scotland will exist for longer than the UK will, in all likelihood. They are "more durable" as I said. Them leaving would lead the UK to cease to exist in its current form.


Flee from what? a war with aliens? Natural catastrophies? Localized conflicts? Or are you talking about political refugees?

A world is essentially impossible to achieve anyway, because super powers don't want anyone to dictate rules.

The EU is not a mini-world government. it's an attempt at unifying many small nations to achieve peace and World power status. on their own, European countries are at the mercy if the US and China.


We have Amber Rudd - brexit won't change that I'm afraid.

Honest comment: I thought the UK was pushing these kind of laws to the EU. I am actually surprised that the effort is still there after Brexit.

Sadly Germany, a country that should know how bad it is to have the government have access to everything, is pushing for this.

Just about 32 years ago the Berlin Wall fell and shortly after the Stasi files were proudly presented as an example of tyranny. Now the German government wants to do the same.


History is the story of how humans never learn from history.

French intelligence agencies pushed some domestic legislation to let "black boxes" (the media's word) designed by them have access to telecom networks a few years ago. I think it passed.

There are lots of people in the various institutions of EU, some are bound to support mandatory CSAM screening.

But I very much doubt actual such legislation will get enacted. There is not even an actual proposal yet, only articles like this saying one is coming soon.

We do know CSAM screening legislation is coming as the current voluntary rules have a 3-year time limit - but it is, in my opinion, very unlikely there will be mandatory screening, despite some people reportedly pushing for it.


There is no actual legal proposal at all to introduce mandatory screening (yet, anyway).

In my opinion, such legislation would be unlikely to pass EU parliament. It is more likely that the current temporary rules allowing voluntary screening get reworked into a permanent legislative proposal.

AFAIK the only relevant official procedure here is this initiative that sought feedback from affected parties (and it does not mention mandatory screening - instead it asked for opinions on what should be done): https://ec.europa.eu/info/law/better-regulation/have-your-sa...


Are you in the know about the whole chat control fiasco? The legislation for non mandatory chat control/decryption is already there...

I assume you mean Regulation (EU) 2021/1232 (legal text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A... , press release: https://www.europarl.europa.eu/news/en/press-room/20210701IP... ) that got approved in July this year.

In my opinion it is not a fiasco at all. It simply allows the current pre-Dec-2020 practice of voluntary screening to continue for a limited period of 3 years (so they have time to get a proper permanent legislation in place). Privacy rules changed in Dec-2020 that made voluntary screening effectively illegal, hence the stopgap.


To be clear - that previous legislation only legalizes in the EU the CSAM content scanning that online services were already doing (by their own choice) in the EU before GDPR, and which they're also doing everywhere else.

It just avoids GDPR unintentionally making it illegal for service providers to scan for CSAM without opt-in user consent from every user involved, and only does so for a temporary period until legislation that formally defines service provider responsibilities is ready.

Personally, I'm fine with that. I firmly agree that private E2E messaging should not be banned (the suggestion in this post, which as noted above is not currently a real proposal) but I don't think that means service providers should be forced to blindly host user data that may contain CSAM against their will.


As an EU citizen what can I do about it? Patrick Breyer's last call to action about Chat Control lead to almost nothing: only the Netherlands and Germany voted against, and barely at that.

If an actual proposal comes out that would introduce mandatory screening, convince your representatives to vote against it.

There is no such proposal as of yet.

In my opinion, the last regulation applied in July 2021 was sound (final text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...), allowing a 3-year extension to the existing practice of voluntary screening until a proper legislation can be finalized.

Some would have wanted to completely disallow voluntary screening (which would have been the case had the regulation not been adopted, due to privacy law changes in Dec 2020), too, and I can understand that position. But that is seemingly not shared by European Parliament who voted to allow voluntary screening to continue (they did shorten the time period to 3 years from the original 5, though, by an amendment).


Any good cartoonists out there? We may soon need the EU equivalent of this: https://i.imgur.com/D93heEo.jpg

We need it yesterday. Get someone on this, stat.

I wish I knew how to make it plain to the politicians and law enforcement officials who ask for this why it must not happen.

It would literally be less bad for all display and input devices to have a (password protected, randomly created at time of manufacture) police access mode, than to ban cryptography.

I talked to my local MP about the UK’s Investigatory Powers Act when that came up. I still don’t understand why the UK decided to allow the Welsh Ambulance Service in particular to access, without a warrant, the recent “internet connection records” of everyone except sitting MPs and certain protected professions.


This reads like a premature encryption death notice. Encryption isn't going away anytime soon. Ban encryption and you essentially ban using The Internet in any meaningful way. That said I don't trust Whatsapp to NOT read my messages since it's closed source, and there's no way of knowing if your messages are truly private & secure.

GCHQ even proposed a 'ghost protocol'[0] so they can play Mallory in your comms. Infact I don't even trust the phone itself, since they /ship/ with Google/Apple-sponsored malware and phones are being hacked all the time.

Messenger apps are strange because they all have different caveats to each, and I've tried them all. For example: Signal requires a phone number, which by design, can leak your 'meatspace' identity. Some people don't like that, so they use Matrix (which has its own caveats too).

Personally, if the authorities go after messaging apps, it's not a big hit for me, since I don't use them heavily. I can see why businesses would take a hit since they want to protect business secrets, and protestors would take a hit & can't organize etc, but it won't affect me heavily. YMMV.

[0] https://www.wsws.org/en/articles/2019/07/06/gchq-j06.html


I did some digging, because every time I have heard of ChatControl I have seen all this talk about what the EU plans to do and no evidence.

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE... is the strategy document.

So far, there is a temporary derogation from the ePrivacy Directive (https://www.europarl.europa.eu/RegData/docs_autres_instituti...). The ePrivacy directive as part of the EECC forbids (for the sake of discussion) email providers from scanning Maildirs, even if those maildirs are cleartext (as is the case for the majority of providers, s/Maildir/backend storage). The temporary derogation lets them scan for CSE in these sources.

I don't see any proposed regulation explicitly targeting end-to-end encryption, but their strategy document does seem to label end-to-end as a problem, citing the NCMEC (US). The project is here: https://ec.europa.eu/info/law/better-regulation/have-your-sa... .


Can someone explain the legal structure under which the EU parliament can (according to this post) dictate laws for service providers inside all of the sovereign nations inside the EU? I would've thought that this was outside the scope of the EU -- is there some kind of "commerce clause" type loophole for this, or was power constitutionally transferred to the EU parliament at some point? If a member nation refused to obey an EU law (or whatever it is), what sort of punishment or sanction could be applied to them?

> is there some kind of "commerce clause" type loophole for this

The EU is not just a commercial organization. It is an actual political union. The English-speaking press tends to hate mentioning this, but it is the truth. The treaty of Lisbon says that the goal of the European Union is to create an "ever closer" union between the member states. Every member state signed up for this.

> I would've thought that this was outside the scope of the EU

Few things are outside the scope of the EU.

> was power constitutionally transferred to the EU parliament at some point?

It is a very complex topic, but the short answer is "yes". Member states agree to translate EU parliament decisions into national law at their own time. They have the ability to veto any initiative through other channels.

> If a member nation refused to obey an EU law (or whatever it is), what sort of punishment or sanction could be applied to them?

This things are usually dealt with through diplomacy. There is a lot of tolerance. Often nothing happens but many types of sanctions (usually economical) are possible.


The US is also (obviously) a political union, but the Feds cannot legislate on every issue, some issues are left to the states. One exception is on matters where interstate commerce is affected, where the Feds have broad power. That's the commerce clause exception GP was referring to.

If you want further detail, look up Wickard v. Filburn. An activity taking place within one individual's property in a single state can be regulated under the interstate commerce clause, so long as a case is made that it affects interstate commerce. Sounds wild, and it is, but the dependency graph is such that we can't change that now without upsetting the whole cart.

Even wilder: the other day I ran across https://en.wikipedia.org/wiki/Gonzales_v._Raich which apparently held that growing marijuana, for personal use under state law, is also interstate commerce. Is there anything at all that isn't interstate commerce?

I mean, that's basically Wickard v. Filburn 60 years later and with a different plant. It actually seems downright reasonable if you accept Wickard as settled law, which it is.

This proposed anti-encryption legislation by the European Commission comes from an initiative of the interior ministers of the European Council which is composed of the heads of the individual governments of the member states. It's the member nation's governments that want this, not the European Parliament.

The EP has yet to vote on this.


I dont think the parliament by itself can set laws, it would need to be agreed to by the Councilof Ministers as well. So unless they're happy with it it wont happen. As for sanctions for not applying the law, fines, holding back of funds. If they dont apply the law or dont follow it they can be taken to the European court of justice. I dont think we've ever had a scenario where EU law has not been applied unless there was an opt out. We may see that tested soon, by Poland and Hungary though.

the basic legal structure of the EU works like this. The EU does not create laws, it creates what's called directives. National governments are bound to create domestic laws implementing said directives. the EU has the mandate to overrule nation states on what to do but not how to do it, and in reality the system leaves national governments quite a lot of leeway, intentionally. (The EU also can create 'regulations' which are directly binding, comparable to an act of parliament)

And the EU also has mechanisms to impose penalties for countries that fail to comply, but in practice this is rarely done for political reasons.


While it is true that directives require implementation, it is not true that the EU cannot directly create legislation. EU regulations do have a direct effect, meaning that no implementation law is necessary. GDPR is an example of this (General Data Protection Regulation).

This is a pretty good video that explains the legal/political structure of the EU: https://www.youtube.com/watch?v=_lj127TKu4Q

Because the only way to fight slavery is with more slavery, obviously.

All this fuss just to catch a few terrorists and then release them again as has happened so many times.

If they catch all the Assange's that's worth for them. Terrorists aren't the real terror for the powerful.

Sadly we in Europe haven't had a lot of Assanges or Snowdens. I think this plays into the marketability of these proposals too. People think it's just the US doing it and it isn't so bad here.

If there is a silver lining to this cryptocurrency madness, it could be that it's educating the public on just how great cryptography really is.

These attempts at outlawing encryption of any form should be met with a lot more pushback from now on.


I don't understand how the same institutions can come out with something as good as the GDPR and as bad as this bullshit. It's very tiring to have to fight against these things all the time, and it feels like our concerns aren't being heard.

The EU is a fairly massive entity at this point and its government(s) are no exception. There are several arms of that government that are firing on all cylinders, privacy, and the cartel watchdog come to mind. There are also arms that are not effective or even detrimental. But these operate relatively independent of each other.

Note that you are comparing a proposal on the one side with a law on the other.


The EU Commission is the especially scummy part of the EU.

I think its about opening an avenue to regulate internet. For instance most regulations start at the extreme (e.g. child safety). And over time once that avenue is open, special interests and police state can use those channels to impose their will. Going from 0 to 1 is the difficult part. Going from 1 to N is a lot easier.

It probably isn't the same institutions..

Or, to be clear, it isn't.

For this to be turned into a law it would need to go through several steps, and currently there really isn't any reason to think that it will.

Maybe this is why we are reading this on a blog from an email provider and not the front page of a newspaper.


Ah, that's encouraging, at least.

They are just going to try over and over again, until there is Olympic games or a football Worldcup to distract the people.

Guess what's coming in 2022?

GDPR was actually by "accident".

Jan Philipp Albrecht was appointed as rapporteur of the European Parliament for the process of the GDPR law making. His job was to take care of the process to find compromises between many opinions and fill them into law. Since he actually cares about privacy, he was in a position to make sure that the compromises keep a certain level of privacy protection. He's from the german "green/environmental" party. There is an interesting documentary about his role and the process: "Democracy: Im Rausch der Daten". I don't know if there is an english version. There is a german version on youtube. The "mistake" was to appoint him as rapporteur.

The "mistake" was not repeated, when Axel Voss from the german conservative party was appointed as rapporteur for the "Directive on Copyright in the Digital Single Market (2019)".

(Note: The law making process in the EU is long and complicated and I do not know where this draft is currently in the process.)


Ah, that's interesting background, thanks!

That’s more or less the argument for liberalism. A climate of intense regulation will sometimes ban stuff you hate but also sometimes ban stuff you like.

It feels like that because "our concern" ARE NOT being heard. The privacy concerns voiced on HN are far removed from what the voting population here (Belgium) thinks. Most people don't mind surveillance "because they aren't doing anything wrong". You have to put in a lot of EFFORT to explain it to them. "First they came for the socialists..." and all that.

Yeah, unfortunately that is a big problem. People don't care about privacy until it affects them, but then it's too late.

You think GDPR is good? It entrenches the monopolies of the Googles and makes it harder for a startup in a garage in Berlin.

-

I am sure there are some people who clearly enjoy pressing on the cookie popups when they travel to Europe like popping zits. Maybe it is the Eurocrats in Brussels.


This is nonsense. You could simply decide not to track you users and then your garage in Berlin works just as well as your garage in Palo Alto would (though the latter would likely lead to an easier round of funding).

GDPR also applies to the data you process about your prospective, current and former employees; the data you hold about your customers in order to fulfil your contracts with them; their feedback; etc. You can't avoid GDPR just by not tracking users; that does help you avoid a different law though (the ePrivacy directive's so-called "cookie rule".)

Yes, which is excellent.

But the start-up in a garage example was - at least, that's the way I read it - meant as there currently not being a level playing field with respect to end users, not necessarily employees. And let's be perfectly clear here: employers that are callous with their employees data are to be avoided like the plague, no matter where they are located.

As for your customers: yes, you should be careful with that data, and no, their feedback does not necessarily fall under the GDPR, only when it concerns the privacy of the individuals mentioned therein. But normally speaking such feedback would not be about such specifics but about the product itself.

Not tracking your users has a big impact on how a company is set up, what data marketing has access to, what data system administrators and sometimes even programmers have access to. Storing your data in an anonymized way can make good sense. It likely will impact your business, but leaking of that data will impact the lives of your customers more, so that's why the GDPR is written the way it is: you minimize your footprint to that which you need and you will be doing just fine.


"I like your Widget Max Pro, it's better than the Rival X1 I had last year. But I dropped it in the toilet and now it won't turn on, so I suspect you're lying about its IP56 rating".

Let's says that 1 out of every 3 product / service reviews is like this. Do you (a) block/filter them out and treat the remaining ones as non-personal data, or (b) treat your feedback pipelines/database as personal data regardless of whether some of the reviews are, somehow, devoid of personal data?

(Or (c), do you not think the example above contains personal data?)


C

Because it fails the Breyer test (no reasonably likely means of identification of the data subject), or the Nowak test (no link to a particular individual, by virtue of the data's content, purpose or effect)?

I'd say it definitely is my personal data, telling you - inter alia - about the objects I own, the opinions I hold, and my recent behaviour.


> It entrenches the monopolies of the Googles and makes it harder for a startup in a garage in Berlin.

In what way?


The start-up in the Berlin garage is hampered in its ability to make money via advertising vs the US-based Google (or Facebook, Twitter, Pinterest, Reddit, Snapchat, Amazon).

Unless the plan is to go straight to the US market, to domicile there and to hire employees there to get started, as it's a radically more lucrative advertising market than the EU, in part thanks to GDPR.

The US market still largely has a comparatively laissez-faire approach to advertising, personal information and privacy. In the US you can still build a tech juggernaut in the way Google and Facebook did, by way of rather invasive advertising practices. You can't do that in the EU today, zero chance. In the US market you can jump-start a company that way, and if you have to later on you can look at dialing back or changing your exact business model. You don't have that option in the EU, you're far more heavily restricted, it cuts off your ability to liberally utilize a gigantic advertising market in the way US companies can. It provides US start-ups a big advantage. You set up in the US, grow into the huge US market, then use your resources to go into Europe and comply with their various requirements (along with paying their slap-on-the-wrist fines inevitably).


So the startup in the EU can't play fast and loose with my data to get rich? And that's bad how?

The cookie banners are a good example for a perversion of the law and if companies will keep up the dark patterns and law-hacking, the EU will update the GDPR laws to also forbid dark pattern cookie banners and BS EULAs and all the other crap.

The GDPR isn't great, but several of its more bureaucratic requirements kick in only once you have over 250 employees (assuming you're not doing relatively risky/intrusive stuff with data), so it's not the end of the world for startups.

We are globally quickly slipping down the slope into some disgusting hybrid of Huxley's Brave New World information inundation, and Orwell's 1984. Throw in there that humans are now able to own less and less each passing year. Who can say with certainty what the end goal is, but these things should not be playbooks!

Does this mean that one day https will not be allowed in the EU and companies will have to go back to supporting http?

Why would it? It just means your cert store will soon have EU signed cert so they can decrypt your TLS connections

I think it's pretty naive to think that digital privacy allowing spreading of child sexual abuse material is going to be accepted in the long run. If we don't figure out a better answer to how we can have one without the other then we're gonna lose digital privacy.

It clicked for me that the real danger posed by encryption to these governments is that it can guarantee truth. When everything is narrative, even something as simple as a commitment hash for a document removes discretion from the sovereign body because it encapsulates a non-repudiable truth. Irreversible processes (like blockchains) constrain the effect of rule by fiat. The people who write these censorship and anti-encryption regulations aren't worried about secrecy or even crime, violance, and abuse, they just fear being accountable to truth.

The real danger of encryption, and in particular blockchains, is that it can subordinate the legitimacy of the state and its policies and actions to a test of truth, and this is why they hate it. The abuse and terrorism arguments are red herrings for this to distract from this fundamental dynamic.


There will always be steganography. Hide information in things. Like the red channel of a specific section of a cat picture, in diagonal strides or something. Good luck finding that shit.

To be safer, I would rather have everyone tracked except me, because I know how to use encryption tools. If criminals want unencrypted communications, that's also their choice.

If you're the only one using encryption, it should be very easy to target you.

Many keyboard apps can predict your next word. Download a matrix with 20k English words, showing the probabilities of each word. Arbitrarily choose the first word. Consider the most likely next 8 words for your current word and choose one of them in a way that encodes your 3 bits. Continue until all your data is encoded by groups of 3 bits.

Well, anyone can Base64 anything, and, what's underneath the Base 64 could be binary or ansi or utf-8 or anything. Or encrypted good if you have half a brain. So; Good luck with that.

EDIT: Noone types the message-letters on a hooked-up machine. You prepare / encrypt the payload before you paste it onto the sending computer / device. Anything withing the Base 64 you paste into the message-field should be impenetrable.


Here's a probably truly unpopular opinion: I think it's reasonable policy to enable police, after a judgement by an impartial judge, to surveil suspects, encryption or not.

This has worked reasonably well for decades, in Europe's liberal democracies, for pain old telephone, mail, searching apartments, etc. Yes, there have been mistakes and failings, but by and large this system works, and prevents substantial harm.

These powers need an actually independent judiciary in a strong legal system (ie. not the us). And they need to be kept out of the hands of secret services (as opposed to genuine police work overseen by judges in the public record).


The point that people are trying to make is not that surveillance itself needs to be banned. I think any reasonable person can see that there are circumstances where it's necessary. The issue is specifically with backdooring encryption to enable surveillance.

You're basically describing some magical fantasy land where the ability to utilize the backdoor could be restricted to "genuine police work" by the legal system. Here in reality, we have to acknowledge that it's impossible to do that.


And Osama wins again.

Does anyone here actually read the resolution before they go claim that the EU is "outlawing math". This is about punching very small and specific holes in the GDPR to allow service providers to scan for CSAM. It does not make it illegal to create technology that can't be intercepted. It removes the excuse that you can't provide the government with data because that would be violating GDPR.

Additionally, service providers MUST inform you that you they have scanned your data for CSAM: "Service providers should inform users in a clear, prominent and comprehensible way that they have invoked the exemption provided for in the Regulation"


Beware, this comes from the guys that managed to put a freaking cookie layer on almost every website in the world.

Maybe it's time for the EU to end. Peoples of Europe are tired of EU beaurocrats eroding their rights and going against their interest. Or it's time for the EU to be reformed.

These tired people could perhaps start to vote instead of complaining.

quite a few of us in the UK did indeed vote to enact change

I am sure the Scotts and Irish are thrilled by the change.

the UK was the member state, and voted as one entity

Yorkshire or London didn't get a veto over leaving either, and both have larger populations than Scotland


Arguably the EU is enforcing the rights of their citizens more than in many other places (eg. GDPR). Ultimately the EU citizens should vote when there are parliament elections instead of complaining about the bureaucrats afterwards. Only 50% turnout last time.

This is true but our votes are so diluted. And there are almost no good choices anymore. Almost all major political parties have an open ear to lobbyists who are much better at influencing them than the public is.

I still vote but I don't really see the point anymore either. The game seems rigged.


it is rigged

by design: the EU acts as a ratchet: powers that formerly belonged to national parliaments are transferred to it, and can't be transferred back

those powers are then exercised by the executives of Europe's governments rather their parliaments

the same is true of EU legislation: once the "parliament" has rubber-stamped legislation: it can't revoke it


Yes and those executives (the European Commission) we don't actually vote for. And those are the ones with the most power.

I've always thought that was weird. I'd want to vote for them directly.

I don't mind the power transfer per se. Within Europe a lot of things make sense to do Europe-wide. In fact a lot of things are not done Europe-wide which I think would make a lot of sense to do so. Like transportation: A lot of countries have extra taxes like 'vignettes' for foreigners while others haven't. So if I go there I have to pay but they don't pay when they come to my country. Of course countries that see a lot of transit traffic should be paid but this should just be paid straight from the EU IMO. It's creating unnecessary barriers. There should also be an EU driving license instead of having to get it locally where you live at the time and losing categories which don't exist there. And why do we still have separate train systems and road rules? Mutualising traffic signs to minimise mistakes is something that could really save lives.

And social welfare, right now it's a total pain if you have worked in several EU countries. Pensions etc are fragmented like crazy and there's a lot of paperwork.

But instead they focus too much on merging the national markets to appease big business IMO. Instead of tackling the real issues for citizens.


Why does this sound like an unlikely development?

I feel the EU has both good privacy things (GDPR was a good step forward, not perfect, but arguably good, forcing things like the right to be forgotten), and then they have these widely anti privacy ideas like the ones presented in this article.

Why the disconnect? That's my fundamental question.


Too many bureaucrats, proposing too many things.

Different political forces with different goals, and GDPR, targeting businesses, isn't fundamentally something the "more state surveillance" group had to prevent, even if they wouldn't have introduced it themselves.

And the pro-surveillance push sadly is fairly endless, see also countries trying to introduce general recording of internet metadata despite the EU top court repeatedly having made clear that that's not going to be a thing that survives a legal challenge.


GDPR would be dead for me the instant this should became law.

it's essential for security

to the people who complain, we didn't hear you when the US kept (is still is) massively tracking you

and let's not talk about all free apps on your favorite smartphone, they track you to death

but who cares, nobody should track me for everyone safety! only for everyone's lack of privacy!


It actually isn't. What is needed for security is better humint, better sigint only increases the stack of hay that the same number of needles has to hide in.

Note that in a very large number of terrorist attacks the knowledge was already available, but it either wasn't acted on, communicated improperly, not given enough urgency or lost because too much time was spent looking at spurious signals. Every time the amount of information available goes up that last factor will grow. Signal vs noise is the main contributor in why 9/11 happened, and the same goes for a lot of other terror attacks as well. But that sort of admission requires a complete review of how this is all practiced, would require an end to the security theater and would cut a whole lot of pork. I'm somewhat skeptical that this will happen.

But more security theater moves to appease Joe Public and look tough, of course.


> Signal vs noise is the main contributor in why 9/11 happened

9/11 happened because they let it happen

Jets would come at you if you flew over cities without permissions

Why do we encrypt things in the first place? because lack of trust

Maybe let's fix that instead of expecting society should lack "trust" between actors


> 9/11 happened because they let it happen

Respectfully, you're nuts.


By "let it happen" i don't mean it was intentional!! don't get me wrong!

I am saying they weren't prepared for the fact that such event could happen

And this is the same as expecting states to not apply surveillance despite encryptions

If we are not prepared, then it can happen

And if we don't want to be prepared by choice, then we let that kind of event happen


There had already been books and movies with that theme, you can take it to the bank that hi-jacked airliners as an improvised WMD were on the radar at the relevant institutions.

The problem was that even if the information was available to them they didn't act on it timely.

https://en.wikipedia.org/wiki/September_11_intelligence_befo...


> to the people who complain, we didn't hear you when the US kept (is still is) massively tracking you

You weren't listening then.


Ban encryption.... hmm, that's certainly one way to get rid of cryptocurrency and solve those pesky ransomware attacks. Good! I didn't read past the title, so I may be wrong about the actual contents of the article.

It has absolutely nothing to do with cryptocurrency.

And it's not exactly a ban either. It's about a mandatory backdoor in encrypted communication.

Not that makes it any less bad but it's important to clarify. The title is not clear about this.


> I didn't read past the title

Then maybe you should?


It would be more appealing if the title was not so alarmist. "Outlaw encryption" Really?



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: